malwarewikiaorg-20200223-history
Ear
Ear is a non-resident, direct action infector of .COM and .EXE programs, including COMMAND.COM. Payload When a program infected with the Ear virus is executed, the Ear virus will check to determine if more than two subdirectories exist on the current drive. If there are not at least two subdirectories, the virus will attempt to write to device AUX, and will normally result in an error. No programs will be infected. If two subdirectories exist, then the virus will infect all of the .COM and .EXE programs located in the current directory, and the program the user was attempting to execute will then run. Programs infected with the Ear virus will have a file length increase of 1,024 bytes with the virus being located at the end of the infected file. The program's date and time in the DOS disk directory listing will not be altered. The Ear virus will occassionally provide the user with a quiz on a part of the human ear when an infected program is executed. The messages displayed at this time are: PHALCON/SKISM 1992 Ear-6 Alert! Where is the $ located? 1. External Ear 2. Middle Ear 3. Inner Ear The "$" above in the second line will be replaced with one of the following: "Auditory Canal", "Lobe", "Hammer", "Eustacian Tube", "Auditory Nerve", or "Cochlea". If the user replies correctly, the virus will display: Wow, you know your ears! Please resume work. If the user replies incorrectly, the following is displayed: You obviously no nothing about ears. Try again after some study. The above text strings are encrypted within the virus and are not visible in infected files. Additional text strings which are encrypted within the virus are: Ear-6 Dark Angel *.EXE *.COM ????????COM Removal Delete the infected files. Variants Anti-Print Anti-Print is a memory resident infector of .EXE programs. When the first Anti- Print virus infected program is executed, the Anti-Print virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 1,248 bytes. Interrupt 21 will be hooked. Once resident, Anti-Print infects .EXE programs when they are executed. Infected programs will have a file length increase of 593 bytes with the virus being located at the end of the file. The file's date and time in the DOS disk directory listing will have been updated to the current system date and time when infection occurred. The following text strings are encrypted within the Anti-Print viral code: PRINT.EXE detected in memory! => Anti-PRINT Virus detonation <= When the Anti-Print virus is memory resident, it will trash the current drive if PRINT.EXE is executed, along with displaying the above text as a message. System hangs may also frequently occur. Quake-O Quake-O infects up to three .EXE or .COM programs in the current directory each time an infected program is executed. Infected programs will have a file length increase of 960 bytes with the virus being located at the end of the file. There will be no change to the program's date and time in the DOS disk directory listing. The following text strings are encrypted within the Quake-O viral code: Quake-O By Dark Angel of PHALCON/SKISM '92 Assistance by Demogorgon on Quake-O routines Albeit .. *.exe *.com Suicide Suicide infects up to five .EXE or .COM programs in the current directory each time an infected program is executed. It has its own entry. Category:DOS Category:Virus Category:DOS virus